T1102.001: T1102.001

Search IOCs, vulnerabilities, APT…

216.73.216.233

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 14/03/2020 23:24 · Modified 15/04/2026 12:25

Essential information

MITRE technique ID: T1102.001
Confidence: 100/100
Revoked: No
Published: 14/03/2020 23:24
Modified: 15/04/2026 12:25
Author / Source: The MITRE Corporation

Aliases

Dead Drop Resolver

Platforms

windows macos linux ESXi

Description

Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. Use of a dead drop resolver may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).

Kill chain phases

Kill chain	Phase
mitre-attack	command-and-control

Marking (TLP)

External references

mitre-attack (T1102.001)
University of Birmingham C2

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (25)

Roaming Mantis uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Core Werewolf uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
BRONZE BUTLER uses REDBALDKNIGHTTick

The MITRE Corporation Confidence 100

[BRONZE BUTLER](https://attack.mitre.org/groups/G0060) is a cyber espionage group with likely Chinese origins that has been active since at least 2008. The group primarily targets Japanese organizations, particularly those in…

First seen 01/01/1970 · Last seen 16/11/5138 ·
TeamPCP uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Contagious Interview uses Gwisin GangTAG-121

The MITRE Corporation Confidence 100

[Contagious Interview](https://attack.mitre.org/groups/G1052) is a North Korea–aligned threat group active since 2023. The group conducts both cyberespionage and financially motivated operations, including the theft of cryptocurrency and user credentials.…

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT37 uses InkySquidGroup123

The MITRE Corporation Confidence 100

[APT37](https://attack.mitre.org/groups/G0067) is a North Korean state-sponsored cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Patchwork uses Hangover GroupChinastrats

The MITRE Corporation Confidence 100

[Patchwork](https://attack.mitre.org/groups/G0040) is a cyber espionage group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Coquettte uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
SecretCrow uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
FAMOUS CHOLLIMA related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
GlassWorm related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
RTM related

The MITRE Corporation Confidence 100

[RTM](https://attack.mitre.org/groups/G0048) is a cybercriminal group that has been active since at least 2015 and is primarily interested in users of remote banking systems in Russia and neighboring countries.…

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 3

13–24 of 25

ShadyHammock uses

Family
RUSTCLOAK uses

Family
Atomic MacOS Stealer (AMOS) uses

Family
Moudoor uses

Family
AppleChris uses

Family
CloverPlus uses

Family
Tsundere Botnet uses

Family
Rugmi uses

Family
SlugResin uses

Family
Vidar uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Lumma Stealer uses

Family
SHub Reaper uses

Family

← Previous

Page / 7

1–12 of 75

Threat Actors Abuse claude.ai Shared Chat for ClickFix … related

AlienVault Confidence 100 19 MITREs 1 Malware 21 IOCs 21 Observables
WebAssembly Malware Found in Trojanized Open VSX Extensions related

AlienVault Confidence 100 17 MITREs 1 Malware 12 IOCs 12 Observables 1 APT
Analysis of APT37 NarwhalRAT Leveraging MS-Themed Phishing and … related

AlienVault Confidence 100 19 MITREs 2 Malwares 12 IOCs 12 Observables 1 APT
FSB’s matryoshka #1/3 – Gamaredon’s gifts that keeps … related

2 CVEs 19 MITREs 6 Malwares 4 Observables 1 APT
Operation Dragon Weave: Uncovering a China-Linked Campaign Targeting … related

17 MITREs 3 Malwares 12 Observables
Threat landscape — Belgium related

Confidence 100 18 CVEs 200 MITREs 200 Malwares 20 APTs 26 Tools
The Worm That Keeps on Digging: Latest Wave related

17 MITREs 1 Observable 1 APT
macOS Stealer Spoofs Apple, Google, and Microsoft in … related

AlienVault Confidence 100 19 MITREs 4 Malwares 8 IOCs 8 Observables
Lorem Ipsum Malware: Trojanized MS Teams Installers related

AlienVault Confidence 100 20 MITREs 1 Malware 13 IOCs 13 Observables
GachiLoader adopts AI skill lure related

19 MITREs 2 Malwares 9 Observables
73 Open VSX Sleeper Extensions Linked to Malware … related

AlienVault Confidence 100 18 MITREs 3 IOCs 3 Observables 1 APT
The npm Threat Landscape: Attack Surface and Mitigations related

20 MITREs 1 Malware 4 Observables 1 APT

← Previous

Page / 3

1–12 of 36

Vulnerabilities (CVE) (7)

CVE-2023-27350 KEV targets

9.8 Critical

PaperCut MF/NG contains an improper access control vulnerability within the SetupCompleted class that allows authentication bypass and code execution in the context …

Attack vector: Network
Published: 21/04/2023
Modified: 21/12/2025

CVE-2025-20265 targets

10.0 Critical

A vulnerability in the RADIUS subsystem implementation of Cisco Secure Firewall Management Center (FMC) Software could allow an unauthenticated, remote attacker to …

Attack vector: Network
Published: 14/08/2025
Modified: 27/05/2026

Awaiting Analysis

CVE-2025-8088 KEV targets

8.8 High

RARLAB WinRAR contains a path traversal vulnerability affecting the Windows version of WinRAR. This vulnerability could allow an attacker to execute arbitrary …

Attack vector: Network
Published: 12/08/2025
Modified: 27/05/2026

CVE-2026-0628 targets

8.8 High

Insufficient policy enforcement in WebView tag in Google Chrome prior to 143.0.7499.192 allowed an attacker who convinced a user to install a …

Attack vector: NETWORK
Published: 07/01/2026
Modified: 09/03/2026

Undergoing Analysis

CVE-2018-20250 KEV targets

WinRAR Absolute Path Traversal vulnerability leads to Remote Code Execution

Published: 15/02/2022
Modified: 02/06/2026

CVE-2025-7775 KEV targets

9.2 Critical

Memory overflow vulnerability leading to Remote Code Execution and/or Denial of Service in NetScaler ADC and NetScaler Gateway when NetScaler is configured …

Attack vector: Network
Published: 26/08/2025
Modified: 27/05/2026

Analyzed

CVE-2024-7593 KEV targets

9.8 Critical

Incorrect implementation of an authentication algorithm in Ivanti vTM other than versions 22.2R1 or 22.7R2 allows a remote unauthenticated attacker to bypass …

Attack vector: Network
Complexity: LOW
Published: 13/08/2024
Modified: 06/06/2026

CWE-287 Received

Attack patterns (MITRE) (1)

T1102 subtechnique-of

Web Service MITRE

Campaign (2)

C0017 uses
3CX Supply Chain Attack uses

Course Of Action (1)

Restrict Web-Based Content mitigates

Contact About Legal notice Privacy policy Terms of use